IBM's SoftLayer, Europe's OVH top Cloudmark list of hosters with most hacked domains

Cyber-criminals are compromising websites at hosting companies at an ever furious rate in order to exploit them to host dangerous content and send spam via compromised accounts, according to messaging security firm Cloudmark in its threat report today.

There are now about 500 websites compromised each day as opposed to less than 200 each day last year, with several days in May of this year showing an upward spike of over 1,600 new hacked websites each day, according to Cloudmark. The company’s analysis is based on the spam filtering it does for about 2 billion mailboxes worldwide.

Research analyst Andrew Conway says Cloudmark believes more than 2,500 hosting companies have hacked domains, with the largest of them having more than a thousand each. In the U.S, the hosting company with the most hacked domains is SoftLayer, now owned by IBM with more than 6,500 compromised websites currently, he says. In Europe, it’s OVH with more than 3,200 hacked domains.

Any large hosting provider is likely to have dozens or hundreds of hacked domains.

— Andrew Conway, research analyst at Cloudmark

“This is simply a measure of the fact that there are the largest hosting providers,” Conway says. “Any large hosting provider is likely to have dozens or hundreds of hacked domains.”

Cyber-criminals exploit the hacked websites they break into to post content such as porn and malware, for example, to draw in anyone who receives a spam message they send with a link to the compromised website. Sometimes the compromised website is just a place to post a URL re-direction to get to the spammer’s landing page.

Breaking into websites at hosting facilities is often fairly easy, according to Cloudmark. “Spammers do not need root access to the account in order to take advantage of it. All they need is a PHP shell, and they exploit a number of different vulnerabilities in order to obtain this access,” the report notes.

By far the most common attack technique now is a SQL injection attack in Joomla 1.5, which allows a reset of the admin password, Cloudmark says. “This bug was patched in 2008, but many web sites have not updated their Joomla version since then.”

Joomla is the free open-source content management system. Conway says the problem is this old vulnerability in Joomla 1.5 is a tad awkward to patch. The other major content-management system, WordPress, is usually simpler to update, he adds.

The question of who is responsible for patching may not be clear when the business, school or church sets up a website at a web-hosting provider, often with help from a consultant, Conway points out. There may be re-sellers in the mix as well.

The high number of compromised websites today is so substantial that hacked hosting accounts have become a commodity sold in the cyber-criminal underground, says Conway. According to Cloudmark’s estimate, 60% of hacked domains are still under the control of spammers one month after compromise. Cloudmark says it can provide hosting companies with a list of compromised domains on their servers for remediation purposes.